Thycotic’s Cyber Security Publication

November 27th, 2013

Being a self-service password reset tool, Password Reset Server needs its end-users to enroll in the product by answering security questions. This can become a challenge if you want your users to begin changing their password immediately or if you are having difficulty getting users to respond to the enrollment reminders. Password Reset Server offers a couple solutions to this challenge.

First, Password Reset Server has recently released Automatic Enrollment. Automatic Enrollment will sync users’ Active Directory attributes, such as email, phone, address, etc. and allow those answers to be used as the end-user’s security questions. This works well if your user’s profile in Active Directory is accurate and up to date, and if you are using text, email or SMS based questions.

Second, for those of you who want security questions about more than what is listed in AD attributes, you can use a Logon Script to get your users to enroll. The Logon Script can be used for organizations that also want to include more personal challenge questions, such as a user’s “Favorite Food” and “Childhood Friend.”

A Logon Script is a piece of code, usually either a batch file or Visual Basic/PowerShell script, which is deployed using Group Policy and runs as a user logs into their machine. Password Reset Server has an accessible API that can be used to create personalized reminders for those users that have not yet enrolled into Password Reset Server, or completed their personal security questions.

Setting up a Logon Script is simple! First, we created the script to call the Password Reset Server Web Services and then we created a script to be performed on the user’s logon. For example, we used the following PowerShell script that will check the enrollment status of a user, and direct them to Password Reset Server if they are not yet enrolled. If they have enrolled, it will simply stop running.

After creating the script, you will want to assign the script in the domain Group Policy. Then, select the objects that you want affected by the Logon Script, edit the policy and navigate to User Configuration>Polices> Windows Settings>Scripts. Right click and select Properties. After this step, you will want to click the PowerShell Scripts tab inside Group Policy Editor and add your newly created script. Next, you can select the GPO run policy to have this script run first or last after logon. When this is done, click Apply and Ok, and you have successfully created a logon script that will prompt users to enroll in Password Reset Server if they have not already. It’s that easy!